[108003] in North American Network Operators' Group
Re: hat tip to .gov hostmasters
daemon@ATHENA.MIT.EDU (Scott Francis)
Mon Sep 22 11:47:45 2008
Date: Mon, 22 Sep 2008 08:43:36 -0700
From: "Scott Francis" <darkuncle@gmail.com>
To: "NANOG list" <nanog@nanog.org>
In-Reply-To: <924f29280809220816h31c8b313o5aa4eae2482fa768@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On Mon, Sep 22, 2008 at 8:16 AM, Jason Frisvold <xenophage0@gmail.com> wrote:
> On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <owenc@hubris.net> wrote:
>> Chicken, meet egg.
>>
>> I think the point of the original post is that one end or the other has to
>> start things. At least we have one US zone doing something on the server
>> end of things.
>
> Oh, agreed, absolutely. And it's great to see. However, neither the
> slashdot blurb, nor the NetworkWorld article mention that without a
> valid resolver, there is no guarantee of security. Sure, they mention
> that vendors are rolling it out and that ISPs should be following
> suit, but no mention is made of the end-user's resolver at all...
the NetworkWorld article (in the printer-friendly version, at least)
has a little table that shows the DNSSEC status of the major vendors.
And support in the resolver library is not strictly necessary, as long
as you trust _your_ (or your ISP's) nameservers.
(not to say that it isn't a good idea, just that it's not requirement
for initial rollout.)
--
darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
http://darkuncle.net/pubkey.asc for public key
